cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
326
Views
0
Helpful
0
Replies

CISCO VPN_SITE_TO_SITE

soufiane.Max
Level 1
Level 1

Hello 

 

i have a problem with  one vpn  link.( i have 5 vpn link in this router  4 is working fine ) 

 

i use nat 4500,500,50 ports nated on my router ISP to cisco router . my 4 links vpn are working fine.

 

the vpn link stop working after sometime randomly time.

 

that can take 3 hours that can take 1 day...., 

 

when i t type 

 

show crypto ipsec sa  i have multiple  results :

 

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.116.0/255.255.255.0/0/0)
   current_peer 51.x.x.119 port 36350
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 267326, #pkts encrypt: 267326, #pkts digest: 267326
    #pkts decaps: 200817, #pkts decrypt: 200817, #pkts verify: 200817
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

 
  local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
  plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
  current outbound spi: 0x0(0)
  PFS (Y/N): N, DH group: none

  inbound esp sas:

  inbound ah sas:

  inbound pcp sas:

  outbound esp sas:

  outbound ah sas:

  outbound pcp sas:

  local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
  plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
  current outbound spi: 0x0(0)
  PFS (Y/N): N, DH group: none

  inbound esp sas:

  inbound ah sas:

  inbound pcp sas:

  outbound esp sas:

  outbound ah sas:

  outbound pcp sas:

  local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
  plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
  current outbound spi: 0x0(0)
  PFS (Y/N): N, DH group: none

  inbound esp sas:
   spi: 0x41F4CCC5(1106562245)
     transform: esp-des esp-md5-hmac ,
     in use settings ={Tunnel UDP-Encaps, }
     conn id: 81, flow_id: Onboard VPN:81, sibling_flags 80000040, crypto map
tthmap
     sa timing: remaining key lifetime (k/sec): (4304754/58523)
     IV size: 8 bytes
     replay detection support: Y
     Status: ACTIVE(ACTIVE)

  inbound ah sas:

  inbound pcp sas:

  outbound esp sas:
   spi: 0xCE5D1A7A(3462208122)
     transform: esp-des esp-md5-hmac ,
     in use settings ={Tunnel UDP-Encaps, }
     conn id: 82, flow_id: Onboard VPN:82, sibling_flags 80000040, crypto map
tthmap
     sa timing: remaining key lifetime (k/sec): (4303844/58523)
     IV size: 8 bytes
     replay detection support: Y
     Status: ACTIVE(ACTIVE)

  outbound ah sas:

    outbound pcp sas:

    local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119
    plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200
    current outbound spi: 0xBB18678E(3138938766)
    PFS (Y/N): N, DH group: none

    inbound esp sas:
     spi: 0x34418B72(876710770)
       transform: esp-des esp-md5-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 83, flow_id: Onboard VPN:83, sibling_flags 80000040, crypto map
 ftthmap
       sa timing: remaining key lifetime (k/sec): (4222155/84434)
       IV size: 8 bytes
       replay detection support: Y
       Status: ACTIVE(ACTIVE)

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
     spi: 0xBB18678E(3138938766)
       transform: esp-des esp-md5-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 84, flow_id: Onboard VPN:84, sibling_flags 80000040, crypto map
 ftthmap
       sa timing: remaining key lifetime (k/sec): (4222130/84434)
       IV size: 8 bytes
       replay detection support: Y
       Status: ACTIVE(ACTIVE)

    outbound ah sas:

    outbound pcp sas:
ROUTERVPN#

all my links have 4500 as port, in this output one vpn link  have  36350 as a port ? and this is the link who work randomly.

 

current_peer 51.x.x.119 port 36350

 

i dont know why i have this long output for this link ?

 

i have multiple sa timing also 

 

routervpn#show crypto ipsec sa | include local  ident|remote ident|lifetime
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0)
        sa timing: remaining key lifetime (k/sec): (4367252/38359)
        sa timing: remaining key lifetime (k/sec): (4367355/38359)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.xxx.0/255.255.255.0/0/0)
        sa timing: remaining key lifetime (k/sec): (4314159/38743)
        sa timing: remaining key lifetime (k/sec): (4313734/38743)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0)
        sa timing: remaining key lifetime (k/sec): (4329696/46875)
        sa timing: remaining key lifetime (k/sec): (4321129/46875)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.xxx.0/255.255.255.0/0/0)
        sa timing: remaining key lifetime (k/sec): (4199082/41259)
        sa timing: remaining key lifetime (k/sec): (4197429/41259)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.xxxx6.0/255.255.255.0/0/0)
        sa timing: remaining key lifetime (k/sec): (4304754/57652)
        sa timing: remaining key lifetime (k/sec): (4303844/57652)
        sa timing: remaining key lifetime (k/sec): (4222155/83563)
        sa timing: remaining key lifetime (k/sec): (4222109/83563)
routervpn#
routervpn#

pease find in attachement the whole file configuration .( head office ) 5 VPN  configuration in this file

 

please can you help me to resolve this issue.

 

best regards.

 

Max

 

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: